As you might aware VMware announced deprecation of the Integrated Windows Authentication in a future release of vSphere KB. So we had a task for our customers to switch to AD over LDAP authentication. I’ve prepared this manual and want to share it with you to save your time on discovery and testing the procedure.
I’m going to use secure LDAP connection (LDAPs) to AD. To achieve it you need AD domain controllers certificates. Lets use self issued certificates.
Following steps are done on first AD domain controller:
- Create domain user with default permissions, for example ldapsauth@the.lab (domain name can be different, depends on your setup)
- Open “Add roles and features” and add role
- Configure Certification Authority
Replace CN and DN with your specific parameters
Change validity to 10 years
- Reboot host if necessary
- Open MMC, add Certificates Snap-in
- You should see certificate issued
Note: Do not forget the certificate is issued for 365 days. You need to update certificate and upload it to vCenter & NSX Manager each year.
- Run “ldp” in PowerShell Admin mode
- Type in name of your AD DC, port 636, SSL enabled
Click “OK” to connect
- You should get response similar to the following
If you can’t get similar response, you need to troubleshoot and not to continue with the next steps until fixed.
- Run MMC, open Certificates and export issued certificate
- Now you need to request certificate on second AD controller
Open certlm.msc or MMC->Certificates on second AD domain controller
- Export certificate from second AD controller
- Configure vCenter to use LDAPS connection to AD
Open vSphere client, Administration -> Single Sign On -> Configuration -> Identity Provider -> Identity Sources,
Click ADD
Fill in all information required.
You might want to use whole Domain to search for Users and Groups, in this case define root “DC=the,DC=lab” as Base distinguished name for users and groups.
Type in Username and password for the AD user you created on the 1. Step of this instructions manual.
Specify domain controllers URLs, like “ldaps://ad01.the.lab:636” and “ldaps://ad02.the.lab:636”
Upload SSL certificates you exported on previous steps for both AD controllers.
- You should see new LDAPS identity source
- Configure NSX Manager to use LDAPS connection to AD
Open NSX Manager -> System -> Users and Roles -> LDAP
Click “Add Identity Source”
- Fill in:
Name – name of the connection, for example “LDAPS to the.lab”
Domain Name – for example “the.lab”
Type – “Active Directory over LDAP”
Base DN – specific for your AD, for example “DC=the,DC=lab”
Description – optional
Click “Set” for LDAP Servers
Click “Add LDAP Server” and provide
Hostname/IP – Name/IP of AD DC,
LDAP Protocol – “LDAPS”,
Port – 636,
Bind Identity – user account in AD which is used for authentication (at least RO permissions in AD),
Password,
Click “Check Status” and “Apply”
- Finally you should see Identity source configured and tested
- Switch to “User Role Assignment”
Click “Add”
- Choose “Role Assignment for LDAP”
- Select your Search Domain (you named it earlier), Search AD for user/group, set Roles and Save
- You should see your User/Group added to the list
- All done, you are ready to test your AD authentication over LDAPS!
Next steps are required if certificate re-issued (after 365 days for example).
- Open MMC, add Certificates Snap-in
Go to Certificates -> Personal -> Certificates
Check new certificate (should have the same name as original but new issue date and valid to date)
Follow the same steps to export certificate
- Upload re-issued certificates to vCenter LDAP configuration
Open vCenter UI
Go to Administration -> Single Sign On -> Configuration -> Identity Provider -> Identity Sources
It’s not possible to upload re-issued certificates to vCenter LDAP configuration, you need to store your configuration to text file, remove LDAP config and create new with the same parameters and fresh re-issued certificates as in previous steps.
Note: Ensure you have password for AD service account used for LDAP authentication (in my case ldapsauth@the.lab).
Click “Add” and you are done!
Yevgeniy Steblyanko
Latest posts by Yevgeniy Steblyanko (see all)
- Automate bulk Windows and Linux VMs creation from template with Guest OS customization - July 18, 2024
- VMware NSX VPN tunnels statistics collection with PowerShell - February 29, 2024
- vSphere & NSX: Active Directory over LDAPs authentication - February 3, 2022
You can use only root CA cert, which you will renew every 10yrs in your vcenter’s truststore, no need to hassle with rest 😉